UNIX and Linux System Administration Handbook by Evi Nemeth & Garth Snyder & Trent R. Hein & Ben Whaley & Dan Mackin

Author:Evi Nemeth & Garth Snyder & Trent R. Hein & Ben Whaley & Dan Mackin [Nemeth, Evi]
Language: eng
Format: azw3, epub, pdf
Tags: Linux, UNIX, System Administration
Publisher: Pearson Education
Published: 2017-09-15T04:00:00+00:00

Table 17.2: PAM control flags

If PAM could simply return a failure code as soon as the first individual module in a stack failed, the control-flags system would be simpler. Unfortunately, the system is designed so that most modules get a chance to run regardless of their sibling modules’ success or failure, and this fact causes some subtleties in the flow of control. (The intent is to prevent an attacker from learning which module in the PAM stack caused the failure.)

required modules are required to succeed; a failure of any one of them guarantees that the stack as a whole will eventually fail. However, the failure of a module that is marked required doesn’t immediately stop execution of the stack. If you want that behavior, use the requisite control flag instead of required.

The success of a sufficient module aborts the stack immediately. However, the ultimate result of the stack isn’t guaranteed to be a success because sufficient modules can’t override the failure of earlier required modules. If an earlier required module has already failed, a successful sufficient module aborts the stack and returns failure as the overall result.

Before you modify your systems’ security settings, make sure you understand the system thoroughly and that you double-check the particulars. (You won’t configure PAM every day. How long will you remember which version is requisite and which is required?)

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.